Set Up AuthID for EPM

The following steps show how to set up an OIDC connection in BeyondTrust EPM to leverage authID's biometric authentication platform.

The authID Verified platform delivers human factor authentication (HFA) that combines secure FIDO2 passkeys with strong cloud biometric identity assurance to verify the human behind the device.

HFA fortifies something the user has with something the user is to protect work platforms from unauthorized access and lateral movement of bad actors with truly portable NIST and FIDO2 compliant authentication. Deploy unphishable, passwordless authentication on any desktop or mobile device and everywhere your employees, contractors, and partners work.

Install Endpoint Privilege Management

Using the appropriate installation guide for Windows or Mac, ensure Endpoint Privilege Management software is installed to computers and the computers are synchronized in the EPM console:

Authorized computers in EPM in authID integration.

For more information about installing Windows or Mac, please see:

Create authID Integration

  1. Follow the steps in the authID integration guide to create an identity provider.
  2. Set the Client Type to Public and Require PKCE to true. This will not generate a client secret but ensures that the integration remains secure using PKCE.
  3. Set the login redirect URL to com.beyondtrust.pmfm://idp.

For more information, please see authID Integration.

Set up identity provider for EPM in authID.

Update Policy

If you correctly configured and deployed a policy for Windows or macOS, update the policy to use the authID identity provider you created in the previous section.

  1. Edit and unlock the relevant policy in the policy list, and then navigate to Messages for either Windows or macOS.
  2. Click the Identity Provider Settings button to enter the following details for the integration:
    • Identity provider: Select OIDC from the menu.
    • Authority URI: Enter
    • Client ID: Enter the value from the previous step.
    • Redirect URI: Enter the redirect URI used for Windows endpoints.

Set up a message in EPM for authID integration.

  1. (Optional). Create a new message type or modify an existing one to activate the IdP authentication.
  2. In the third section, check the box Verify their Identity through an Identity Provider.
  3. Select Idp - OIDC from the Multifactor Authentication dropdown.

Identity provider settings for a message in a authID and EPM integration.

Test Policy (Optional)

You can test that the policy works correctly by having a user engage in an activity that activates the message you created. A dialog box displays where the user enters their details in the authID system to complete the authentication.

Test a policy works in EPM and authiD Verified integration.

From here, the default browser appears. The user is prompted to continue their authentication with authID:

authID authentication logon page in EPM integration.